The FTC published guidance warning companies that “[i]t may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for artificial intelligence (AI) training—and only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.” … Continue Reading

On November 27, 2023, the California Privacy Protection Agency (CPPA) published proposed Automated Decision-Making Rules to be discussed by the CCPA board at its upcoming meeting on December 8, 2023.  While the proposed rules are far from final—indeed, they are not even official draft rules—they signal that the CPPA is considering rules that would have significant impact on businesses subject to the California Consumer Privacy Act (CCPA).… Continue Reading

California continues to be at vanguard of data privacy rights.  The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians.  The law seeks to expand on the deletion and opt-out rights provided under the CCPA, which currently requires a Californians to submit their deletion and opt-out requests on a company-by-company basis.… Continue Reading

The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues.  Although the CPPA has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the  process moving forward. … Continue Reading

On Friday, January 27, California Attorney General Rob Bonta announced an investigative sweep of businesses that provide mobile apps, issuing warning letters to those that AG Bonta alleges failed to comply with the California Consumer Privacy Act (CCPA).  This sweep focused specifically on “popular retail, travel, and food service industry apps” that failed to comply with consumer opt-out requests or otherwise failed to offer mechanisms for consumers to stop the sale of their personal information.   … Continue Reading

The August 31 closing of the California legislative session likely marked the end of hopes for an extension of the limited exemptions for employee and business-to-business (B2B) data that have existed for the California Consumer Privacy Act (“CCPA”) since its inception.  As a result, when the the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, employee and B2B data will be treated the same as consumer data. … Continue Reading

Our discussion examines the FTC’s Advanced Notice of Proposed Rulemaking relating to what it describes as “commercial surveillance” and the CFPB’s circular confirming that covered persons and service providers may violate the Consumer Financial Protection Act’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information.  We consider the ANPR’s scope, its areas of focus, and potential federal and state obstacles to the FTC’s initiative. … Continue Reading

In an active week for federal regulators, the Federal Trade Commission (FTC) joined the CFPB in announcing important initiatives that may change privacy and data security practices in major ways.

On August 11, the FTC released its Advanced Notice of Proposed Rulemaking, seeking public input on a host of questions relating to what it describes as “commercial surveillance”—or “the business of collecting, analyzing, and profiting from information about people”—in order to determine whether to issue a  new rule “to protect people’s privacy and information in the commercial surveillance economy.”    … Continue Reading

In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently.  The proposed amendments were initially made public in a package of materials to be considered by the CPPA at its upcoming June 8 meeting.  The proposed amendments—which in effect are the draft CPRA regulations—were issued without advance notice, ahead of the schedule previously announced by the CPPA. … Continue Reading

The California Privacy Protection Agency (“CPPA”) scheduled a Board Meeting for June 8th, in which it will be discussing and possibly taking action with regard to the much anticipated CPRA enforcing regulations.  To facilitate this discussion, the CPPA included a draft of the proposed regulations as part of the meeting records. … Continue Reading